Security Tools provides you with a generous set of utilities that can help you manage most areas of security on your iSeries. The tools are divided into two groups. The interactive tools contain tools for managing security attributes related to user profiles and system security auditing. The reporting tools contain a number of reports that can help you profile all sorts of things that can lead to security problems. For instance, there is a report that lists all programs that adopt the owner's authority.
Accessing and using the interactive tools
The easiest way to access the security tools is via the SECTOOLS menu. Type "GO SECTOOLS" on any command line, and if you are authorized to access them, you will be able to use any of the security tools listed.
To activate a tool, simply type its menu option number and press Enter. You will be prompted for any additional information. For example, to see a list of user profiles due to expire in the future, type a "7" (Display expiration schedule) and press Enter. The system will prompt you for an output option (display or print). Press Enter again after making the appropriate selection.
How to access the reporting tools
You have a choice of three methods when it comes to creating security reports:
- Interactively. You can run any of the numerous reports from the SECTOOLS menu. The reports are listed on this menu after the interactive tools. Many of the reports are fairly long-running, so use this method with caution.
- Batch mode. To produce a report in batch mode, use the SECBATCH menu. The reports are listed in the same order on this menu as they are on the SECTOOLS menu.
- Scheduled batch mode. This option is like the previous option except you can schedule the report to run during off hours. Again, use the SECBATCH menu to schedule a report. The scheduled reports are listed after the regular batch reports on this menu.
Tip: You can access the SECBATCH menu from the SECTOOLS menu by using menu option 20 (Submit or schedule security reports to batch).
"Change only" reports save you time
Most of the reports have a Change report only option that can save you a lot of time. Each time you run a report, the system saves related information in a system file. When you choose the Change report only option, the system uses the information in the file to produce a report that reflects only the things that have changed since the last time the report was produced. The system also updates the system file with the current information.
For example, the Adopting objects report produces information on programs and service programs that use adopted authority (i.e., run using the authority of program's owner). When you choose the Change report only option for this report, the produced report will show only the programs and service programs that have been created or changed since the last time the report was run.
Note: When you run a complete report, the associated system file is completely replaced with the new information. If you choose the Change report only option but have never run the report before, the report will run as though you choose a complete report. That is, since there is no baseline information in the system file, the system will produce a complete report.
Security tools lack sophistication
As mentioned above, many of the reports save information in a system file to support the Change report only option. Unfortunately, that means only one "copy" of any given tool can run at any given moment. In and of itself, that is not a major drawback. The problem is that you have to manually ensure it.
You can run different tools at the same time. However, because the documentation is not clear about interaction among different tools, it is probably best to run only one tool at a time.
Also, the security tools lack the "work with" user interface of other operating system features. For example, the security tools lack a single screen that lists the user profiles scheduled for activation and expiration and that provides you with options that allow you to make modifications right there. Instead, you have to request the list of profiles scheduled for either activation or expiration. If you need to make changes, you must first exit the list and then run individual commands to effect the changes.
Finally, IBM implemented the options on the SECBATCH menu by simply combining the associated command and a SBMJOB command. But they did not specify any other parameters on the SBMJOB command, such as the Job name, to help identify the job. So, for example, if you don't want a bunch of jobs all named QDFTJOBD (or some other name), make sure you change the Job name parameter when the SBMJOB command is prompted. Note: This drawback does not exist for reports submitted for Scheduled batch mode because the Job name parameter is a required parameter on the ADDJOBSCDE command.
TCP/IP security not a part of Security Tools
The one major feature missing from the Security Tools is a way to configure TCP/IP security. This is unfortunate because most of the iSeries world uses TCP/IP in one way or another. You can use the CFGTCP (Configure TCP/IP) command to help you with TCP/IP security.
The security tools are documented in the manual Tips and Tools for Securing Your AS/400-iSeries (SC41-5300). This manual is a good source for examples on how to use the tools.
About the author: Ron Turull is editor of Inside Version 5. He has more than 20 years experience programming for and managing AS/400-iSeries systems.